Snort 2.9.6.2 v3.1.5 – Bug fix update release notes

bmeeks

Snort 2.9.6.2 pkg v3.1.5 – Release Notes

This is a bug fix update only that addresses the auto-start failure on nanoBSD installations.  The Snort binary version remains at 2.9.6.2.

Install Notes:  It is sufficient for this update to perform a GUI Components Only install by clicking the XML icon beside the package on the Installed Packages tab.

Bug Fixes

1.  Snort fails to automatically start following a firewall reboot on nanoBSD installs of pfSense.

Bill

drewy

Bill,

I'm running 3.1.4 on 2.2, full install on usb thumb drive but with \var and \tmp on ramdisk. I'm Seeing the same or similar issues with pfsense restarts I.e. Snort fails to start. Hopefully this will work for me too.

I'll give it a whirl and report back.

Paul

val

Hi Bill

Last time, the stick on Waiting for Snort to started message was easy fix with a reinstall.
But this time reinstall wouldn't work, and removing package and selecting it again from Package list too.

You mentioned in few post saying the might be configure file corrupted.
Is there anyway to removing configure file without access of Snort GUI? Because I have no Snort showing in my service list and pfSense menu, and also I have ticked the Not to removing configure Snort file while uninstalling, this way I can start it fresh.

Also is there a way to read the partial config file? say like Suppress List.

P.S. from the memory usage looks like Snort still running and blocking showing up in Snort Alert.

Thank you for your help.

Val

bmeeks

@val:

Hi Bill

Last time, the stick on Waiting for Snort to started message was easy fix with a reinstall.
But this time reinstall wouldn't work, and removing package and selecting it again from Package list too.

You mentioned in few post saying the might be configure file corrupted.
Is there anyway to removing configure file without access of Snort GUI? Because I have no Snort showing in my service list and pfSense menu, and also I have ticked the Not to removing configure Snort file while uninstalling, this way I can start it fresh.

Also is there a way to read the partial config file? say like Suppress List.

P.S. from the memory usage looks like Snort still running and blocking showing up in Snort Alert.

Thank you for your help.

Val

What kind of install do you have for pfSense: a full install with conventional hard disk, or a nanoBSD install?

What version of pfSense are you running?

Bill

val

@bmeeks:

@val:

Hi Bill

Last time, the stick on Waiting for Snort to started message was easy fix with a reinstall.
But this time reinstall wouldn't work, and removing package and selecting it again from Package list too.

You mentioned in few post saying the might be configure file corrupted.
Is there anyway to removing configure file without access of Snort GUI? Because I have no Snort showing in my service list and pfSense menu, and also I have ticked the Not to removing configure Snort file while uninstalling, this way I can start it fresh.

Also is there a way to read the partial config file? say like Suppress List.

P.S. from the memory usage looks like Snort still running and blocking showing up in Snort Alert.

Thank you for your help.

Val

What kind of install do you have for pfSense: a full install with conventional hard disk, or a nanoBSD install?

What version of pfSense are you running?

Bill

Full install on SSD, 2.1.5 RELEASE

there is no error of any kind from system log too.

Val

bmeeks

@val:

@bmeeks:

@val:

Hi Bill

Last time, the stick on Waiting for Snort to started message was easy fix with a reinstall.
But this time reinstall wouldn't work, and removing package and selecting it again from Package list too.

You mentioned in few post saying the might be configure file corrupted.
Is there anyway to removing configure file without access of Snort GUI? Because I have no Snort showing in my service list and pfSense menu, and also I have ticked the Not to removing configure Snort file while uninstalling, this way I can start it fresh.

Also is there a way to read the partial config file? say like Suppress List.

P.S. from the memory usage looks like Snort still running and blocking showing up in Snort Alert.

Thank you for your help.

Val

What kind of install do you have for pfSense: a full install with conventional hard disk, or a nanoBSD install?

What version of pfSense are you running?

Bill

Full install on SSD, 2.1.5 RELEASE

there is no error of any kind from system log too.

Val

Do you have any other packages installed on this box besides Snort?  I have tested and tested in my VMs and cannot reproduce this problem with Snort seeming to install and run but not show up in the menus.  However, I think about three folks have posted with this issue; so I would like to get to the bottom of it if I can.

The problem is going to be within the <installedpackages>tag in your config.xml file.  The entries for the Snort menu parameters are likely missing.  I don't know how that could have happened, though.

Here is what that section should look like –

<installedpackages><menu>

<menu>
<name>Snort</name>
<tooltiptext>Set up snort specific settings</tooltiptext>
Services
<url>/snort/snort_interfaces.php</url>
</menu>

<service><service><name>snort</name>
<rcfile>snort.sh</rcfile>
<executable>snort</executable></service>

The sections I listed above are likely missing.

Bill</service></menu></installedpackages></installedpackages>

val

@bmeeks:

@val:

@bmeeks:

@val:

Hi Bill

Last time, the stick on Waiting for Snort to started message was easy fix with a reinstall.
But this time reinstall wouldn't work, and removing package and selecting it again from Package list too.

You mentioned in few post saying the might be configure file corrupted.
Is there anyway to removing configure file without access of Snort GUI? Because I have no Snort showing in my service list and pfSense menu, and also I have ticked the Not to removing configure Snort file while uninstalling, this way I can start it fresh.

Also is there a way to read the partial config file? say like Suppress List.

P.S. from the memory usage looks like Snort still running and blocking showing up in Snort Alert.

Thank you for your help.

Val

What kind of install do you have for pfSense: a full install with conventional hard disk, or a nanoBSD install?

What version of pfSense are you running?

Bill

Full install on SSD, 2.1.5 RELEASE

there is no error of any kind from system log too.

Val

Do you have any other packages installed on this box besides Snort?  I have tested and tested in my VMs and cannot reproduce this problem with Snort seeming to install and run but not show up in the menus.  However, I think about three folks have posted with this issue; so I would like to get to the bottom of it if I can.

The problem is going to be within the <installedpackages>tag in your config.xml file.  The entries for the Snort menu parameters are likely missing.  I don't know how that could have happened, though.

Here is what that section should look like –

<installedpackages><menu>

<menu>
<name>Snort</name>
<tooltiptext>Set up snort specific settings</tooltiptext>
Services
<url>/snort/snort_interfaces.php</url>
</menu>

<service><service><name>snort</name>
<rcfile>snort.sh</rcfile>
<executable>snort</executable></service>

The sections I listed above are likely missing.

Bill</service> </menu></installedpackages></installedpackages>

Hi Bill, apart from Snort package that I am using as following:-
bandwidthd
nut
Service Watchdog - with Snort added.

And also just an update of the issue that I had, after few reinstall try it passed the "Waiting for Snort to started" bit and now Snort it's back onto my menu.
Not really sure how but it did.

Thank you

Val

Supermule

Since I got home from Greenland, then Snort has been acting quite strange in my home setup. Servers run fine on 2.1.4 but home setup is 2.1.5 X64

Thing is, I get a portscan from my WAN IP all the time going only to DNS related traffic.

Then WAN IP is blocked and surfs up! :(

fsansfil

Your interface is blue…thats weird! ;)

bmeeks

@Supermule:

Since I got home from Greenland, then Snort has been acting quite strange in my home setup. Servers run fine on 2.1.4 but home setup is 2.1.5 X64

Thing is, I get a portscan from my WAN IP all the time going only to DNS related traffic.

Then WAN IP is blocked and surfs up! :(

Responded to your other message via e-mail.  The problem is a typo bug that happened when 3.1.4 was released.  A version string in a file did not get updated from 3.1.3 to 3.1.4.  That caused the package sync function for Snort to not be called by pfSense when certain firewall events occurred.  Two of those events were reboots and WAN IP address changes.  The sync function is called to alert a package that some event has occurred that might require the package to make some updates.  With Snort, one important thing that needs to happen during a reboot or a WAN IP address change is that the PASS LIST needs to be regenerated so it will contain the new WAN IP.  Also, on nanoBSD boxes, some directories on RAM disks need to be recreated (on a reboot).

So the bug that was introduced in Snort 2.9.6.2 pkg v3.1.4 caused Snort to not restart on nanoBSD installs following a reboot, and it also caused the PASS LIST to not get updated with a changed WAN IP address.  These problems were corrected in the v3.1.5 package posted recently.

Sorry about the bug,
Bill

Supermule

No worries dude!

Running smooth on all the boxes at the hosting site and privately!